CVE-2024-21643 is a high-severity vulnerability classified under CWE-94 (Improper Control of Generation of Code, commonly known as Code Injection) affecting the Azure Active Directory (AzureAD) IdentityModel Extensions for .NET. This library is widely used by web developers to integrate federated identity providers for authenticating users and establishing caller identities in .NET applications. The vulnerability specifically impacts implementations leveraging the SignedHttpRequest protocol or the SignedHttpRequestValidator component. The root cause lies in the Microsoft.IdentityModel library's default behavior of trusting the 'jku' claim within the SignedHttpRequest protocol. The 'jku' claim is intended to provide a URL to a JSON Web Key Set (JWKS) used to validate the signature of the request. However, because the library trusts this claim without sufficient validation, an attacker can craft a malicious SignedHttpRequest containing a manipulated 'jku' claim that points to an attacker-controlled URL. This enables the attacker to force the vulnerable application to perform arbitrary HTTP GET requests to remote or local resources. Such behavior can lead to remote code injection scenarios, where attacker-supplied code or data is executed or processed by the application, compromising confidentiality, integrity, and availability. The vulnerability affects all versions of Microsoft.IdentityModel.Protocols.SignedHttpRequest prior to 6.34.0 and versions from 7.0.0-preview up to but not including 7.1.2. Microsoft has addressed this issue in versions 6.34.0 and 7.1.2 and later. The CVSS v3.1 score is 7.1, reflecting a high severity due to network attack vector, low privileges required, no user interaction, and high impact on confidentiality and integrity with some impact on availability. No known exploits have been reported in the wild at the time of publication. Organizations using the affected library versions in their .NET applications that implement federated identity and SignedHttpRequest validation are at risk of code injection attacks if they do not update to patched versions.

For European organizations, the impact of CVE-2024-21643 can be significant, especially for those relying on AzureAD IdentityModel Extensions for .NET in their authentication and authorization infrastructure. Exploitation could allow attackers to execute arbitrary code or commands within the context of vulnerable applications, leading to unauthorized access to sensitive data, manipulation of authentication tokens, and potential lateral movement within corporate networks. This could result in data breaches, service disruptions, and loss of trust from customers and partners. Given the widespread adoption of Microsoft technologies and AzureAD in Europe, sectors such as finance, healthcare, government, and critical infrastructure are particularly at risk. The ability to perform remote HTTP GET requests via the 'jku' claim manipulation could also facilitate server-side request forgery (SSRF) attacks, enabling attackers to access internal resources not normally exposed externally. This could further escalate the impact by exposing internal services or sensitive endpoints. The high confidentiality and integrity impact combined with the ease of exploitation (no user interaction required) make this vulnerability a serious threat to European organizations that have not yet applied the patches.

European organizations should immediately assess their use of Microsoft.IdentityModel.Protocols.SignedHttpRequest in their .NET applications, particularly those implementing federated identity with SignedHttpRequest or SignedHttpRequestValidator. The primary mitigation is to upgrade all affected Microsoft.IdentityModel packages to version 6.34.0 or higher for the 6.x branch, or 7.1.2 or higher for the 7.x branch. Additionally, organizations should audit their codebases and configurations to ensure that the 'jku' claim is not blindly trusted or that additional validation is performed on URLs referenced by this claim. Implementing strict allowlists for JWKS URLs, validating the domain and protocol, and restricting outbound HTTP requests from application servers can reduce the attack surface. Network-level controls such as web application firewalls (WAFs) and egress filtering can help detect and block suspicious HTTP requests triggered by exploitation attempts. Monitoring application logs for anomalous SignedHttpRequest validation failures or unexpected HTTP GET requests can provide early detection of exploitation attempts. Finally, organizations should review their incident response plans to include scenarios involving code injection and SSRF attacks targeting authentication components.